30 March 2018

New CYBER MAVEN Column: Why the US is More Vulnerable to CyberAttack

In January of this year there was significant press about how the Department of Defense was considering nuclear retaliation for a cyber attack. The Joint Chiefs of Staff pushed back against this idea stating that the new posture review spoke about strategic level attacks beyond a nuclear scenario and that cyber wasn’t even mentioned. This entire conversation side stepped perhaps the most important point being punctuated by this line of thinking. The United States’ geography has fundamentally shifted. No other country in the world can claim that their continuous territory has remained free from foreign adversaries in the last 200 years while actively engaging in multiple conflicts.[1] Yet today, the United States is further constrained than at any point previously in its history. A nuclear Armageddon is no long the only thing the U.S. military and population need to worry about. Today, cyber attacks are a very real way to bring the war to the home front in a way that noone in two centuries has experienced.

The United States asymmetric dependence on the Internet makes cross domain escalation the only recourse for the military. There are very few potential adversaries of the United States that are as dependent on information networks as the United States is. This makes the normal approach of offensive superiority largely an inept tactic when it comes to in domain conflict. Simply put, the United States cannot exact the same toll on its adversaries in cyber space that they can on it. This means there is no way for an offensive cyber program to create escalation dominance which is fundamental for a conventional deterrence posture.

This asymmetric vulnerability can be mitigated in a couple of ways. First, the United States can seek to limit the acceptable use of destructive cyber attacks through treaties, international agreements, and norm building. Second, it can seek a technological solution to the vulnerability to change the fundamental nature of the risk calculation we are currently experiencing. Third, it can demonstrate through proclamation and action that cyber attacks will always be responded to in a cross-domain fashion moving from the virtual to kinetic world where the United States enjoys escalation dominance.

Unfortunately, the United States appears to be pursuing none of these options and instead is applying traditional military conventions to a domain where the underlying assumptions are false. U.S. Cyber Command has spent the last half decade building offensive capabilities and executing attacks on the battlefields in Iraq, Syria, and Afghanistan.

Additionally, news reports claim that have acted directly against North Korea and laid the ground work for a retaliation against Russia in 2016. Rather than limiting the use of these tools and focusing on defensive measures to reduce our vulnerability, the Department of Defense (DoD) has been gearing up for the strongest possible offensive strikes they can muster. It wasn’t until 2018 that DoD’s Network Defense Headquarters achieved full operational capability.

Until the DoD views the Internet as the critical weakness of the U.S. military dreadnaught, policy makers and senior officials will continue to focus on offensive capabilities and the need for in domain tit for tat exchanges that only serve to codify permissive action in a domain where defeat is the only option for the U.S. military. Policy needs to consider what makes the US systemically vulnerable, where current defensive authorities exist, and finally how to mitigate exposure given the inability to contain the use and spread of cyber weapons.